Posted by: David Harley | April 23, 2015

Android: Google’s new look at malware

Every so often, Google comes up with a presentation that plays down the risk to Android users from malware. An article of mine that Infosecurity Magazine has just published – #RSAC: Android: malware? What malware? – looks at the implications of an RSA 2015 presentation by Lead Android Engineer Adrian Ludwig, deprecating the use of the word malware to describe ransomware, Trojans etc. because it’s ‘confusing’. The presentation is interesting for its insight into current Google security strategies, but in my book, unilaterally changing the terminology used to describe malicious software so that it sounds less frightening is too close to whitewashing to be useful.

David Harley
Small Blue-Green World

Posted by: David Harley | April 21, 2015

Yosemite and Rootpipe

Further to my recent blog on That OS X Backdoor… I mentioned that the vulnerability flagged by Emil  Kvarnhammar – Hidden backdoor API to root privileges in Apple OS X – had been fixed in an update to Yosemite, but that earlier versions of OS X would not be patched.

Today, The Register followed up on its report on the issue with an article that tells us that OS X Yosemite still open to Rootpipe backdoor, warns ex-NSA bod. Synack’s Patrick Wardle – who presented an interesting paper at Virus Bulletin 2014 on Methods of malware persistence on Mac OS X – has announced that:

I found a novel, yet trivial way for any local user to re-abuse rootpipe – even on a fully patched OS X 10.10.3 system. I the spirit of responsible disclosure, (at this time), I won’t be providing the technical details of the attack (besides of course to Apple). However, I felt that in the meantime, OS X users should be aware of the risk.

 According to Shaun Nichols’ article for The Register, Apple has not so far been available for comment.

David Harley
Small Blue-Green World

Posted by: David Harley | April 10, 2015

That OS X Backdoor…

According to Emil Kvarnhammar, a hidden backdoor API in the OS X Admin Framework has been present since 2011 if not earlier, and ‘can be exploited to escalate privileges to root from any user account in the system.’ ArsTechnica says that ‘To fully exploit the bug, attackers would need physical access to the targeted Mac’, but cites an example of how, as Kvarnhammar says, it could be ‘combined with remote code execution exploits.’

According to The Register ‘The flaw (CVE-2015-1130) is fixed in Apple’s patch run this week‘ but Apple apparently told Kvarnhammar that because of the volume of changes required, it would not be back-porting the fix to versions 10.9.x and earlier, leaving users of versions older than (patched) Yosemite 10.10 vulnerable to potential exploits.

David Harley
Small Blue-Green World

Posted by: David Harley | April 9, 2015

Apple Fixes and Updates

Also worth reading: Paul Ducklin of Sophos talks on ‘Naked Security’ about how Apple fixes loads of security holes in OS X, iOS, Apple TV, Safari.

  • Yosemite update
  • Mavericks security update
  • Mountain Lion security update
  • iOS 8.3 (fixes two Lock Screen bugs)
  • Apple TV 7.2
  • Safari updates

And a terse summary of the new Photos app.

David Harley
Small Blue-Green World

Posted by: David Harley | April 9, 2015

Apple’s advice on adware

Remove unwanted adware that displays pop-up ads and graphics on your Mac is a recent post on Apple’s support site that gives advice on ‘uninstalling or removing ad-injection software’.

As well as advising readers to upgrade to a recent OS X version, it includes advice on configuring Safari and on removing specific (known) adware as listed in the article. I’m not in a position to test the removal advice, but if you have any reason to think that you might have been exposed to stuff like this, the article has to be worth a look.

David Harley
Small Blue-Green World

Posted by: David Harley | March 26, 2015

Cracking Your iGadget PIN

This isn’t the first time I’ve looked at PINs, and on occasion I have done so in the specific context of iOS devices: in fact, I spent some time on researching PIN and password selection strategies after encountering some analysis by Daniel Amity on an anonymized sample set of 204,508 PINs used by iGadget owners to access his Big Brother application, after he kindly made his data available to me. As I said at the time:

While we cannot assume that a choice of passcode for Big Brother would reflect either screenlocking passcode selection or PIN selection practice, it seems reasonable to assume that, given the size of the sample, there is likely to be some correlation

At the time, iGadgets offered a choice of passcode modes for screenlocking: off, simple four-digit passcode, or a more complex passcode. (It’s a little more complicated with recent versions of iOS.) And while I certainly wasn’t discouraging anyone from using a complex passcode, I was initially concerned to dissuade anyone from using the most used PINs – for instance, the ones that fall most easily under the fingers like a single repeated character (ergonomic strategy), or that are most easily memorized, as when numbers are paired with letters. (For instance, 5683 could easily correspond to L-O-V-E.) After all, Amitay’s research indicated that 15% of all iPhone owners were using one of the ten most common passcodes. (5683 was one of that top ten.)

In some ways, the combination of a good passcode or password and a limit on the number of retries is hard to beat (in the absence of alternative approaches such as offline brute-force or guessing attacks). ATMs have a habit of swallowing smartcards after the third failed PIN entry. Similarly, smartphones tend to have an option to erase data and/or render the phone inaccessible after a set number of unsuccessful passcode entry attempts. In iOS, there is an option to erase after ten attempts. (Otherwise, the device is just temporarily disabled.) So it would seem that avoiding a fairly small subset of common PINs should keep you fairly safe where this combination of defences applies.

But what if that restriction can be bypassed? MDSec reports that for £200 the company was able to acquire a device called an IP Box that is used to automate brute-forcing the iOS screenlock passcode. Algorithmically speaking, that’s trivial for a 4-digit PIN: all you have to do is cycle through all the permutations from 0000 to 9999: if you could do it offline, you could do it almost instantly with a small program. But what about that ten-strikes-and-out limitation?

According MDSec the IP Box bypasses it:

“by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.”

Not something you’re likely to do to someone’s phone while he nips to the restroom, but certainly not a major obstacle if you have a stolen phone and a few days to spare.

In the real world, there are a number of steps you might be able to take to deal with stolen data and connectivity on a stolen or lost smartphone, including remote wiping, once you’ve noticed that it’s gone. But as Graham Cluley has already pointed out, it’s well worth the additional security to:

“Change your iPhone password from a simple 4 digit numeric code to a longer, more advanced version, which can include letters and symbols as well as numbers.”

Of course, the same applies to other devices.

David Harley
Small Blue-Green World

Posted by: David Harley | March 18, 2015

Android, iOS, and OS X


1) ITSecurity blog updated to take into account OpenSSL’s advisory.

2) Patrick Wardle’s paper on Dylib hijacking on OS X is now available via the Virus Bulletin blog.]

I’ve just posted an article on on Android exfiltration, OpenSSL, and iOS app memory handling (so I won’t cover those issues again here, but there are pointers to some articles that particularly interested me).

However, there are also a couple of interesting articles around on OS X security issues.

“As described by Macissues, users of recent Safari versions on the newest flavours of OSX are finding that so-called “private” URLs are turning up in the SQLite database that stores Favicons.”

The issue isn’t addressed by the new Safari update.

David Harley
Small Blue-Green World


Posted by: David Harley | March 11, 2015

OS X and iOS the most vulnerable operating systems?

There’s a recent article from me for ESET on OS X and iOS, and the assertion that they’re the most vulnerable operating systems: Operating System Vulnerabilities, Exploits and Insecurity.

The assertion was made by Cristian Florian in an article for GFI’s on the Most vulnerable operating systems and applications in 2014, based on data from the National Vulnerability Database.

I wouldn’t say it was completely wrong, but I do think it’s misleading. And I discuss the reasons why in some detail in the ESET blog.

Top marks for pedantry to Charles Schloss (@chasapple) who pointed out, quite correctly, that OS X is now described simply as OS X, not as Mac OS X (it has been since the release of Mountain Lion), implying that there were no patches last year.


David Harley
Small Blue-Green World

Posted by: David Harley | February 23, 2015

A headline of little importance

This is a depressing headline: Survey: Mac users more educated, less Harley-loving. ;)

It’s actually quite an old story (2011) that popped up in my search engine while I was looking for something completely different, but you may find it interesting. On the other hand, you might wonder whether the survey did a better job of reinforcing stereotypes than of providing useful insights. At least it apparently worked on a large dataset:

…it took answers from 388,315 people and then cross-referenced the data with other questionnaires in order to cull vital computing information.

I say apparently, because the survey has disappeared, apparently following the acquisition of Hunch – a site that made recommendations to users based on the tastes and opinions that they entered into the system – by eBay in 2011.

As you’ll already know if you tried to follow the link in that quote, URLs now redirect to eBay, leaving only some amusing third-party commentary on untestable conclusions. Sometimes that feels like the internet in microcosm. I think I feel a conference abstract coming on.

David Harley

Posted by: David Harley | February 12, 2015

OpinionSpy resurgent

Some of us were slightly confused back in 2012 when Intego flagged a problem with the alleged spyware/adware program it calls OSX/Opinionspy – a market research program calling itself PremierOpinion.

A few days ago, however, Thomas Reed flagged what appears to be a more recent version in article on The Safe Mac and after further research by Intego, Graham Cluley has published an article on the company’s blog that expands on the story. Read more about it on the ITSecurity UK blog.

David Harley
Small Blue-Green World


Older Posts »



Get every new post delivered to your Inbox.

Join 47 other followers